Data Security

Subscribe to Data Security

The European Securities and Markets Authority (ESMA), the EU’s securities markets regulator, recently announced that it fined UnaVista Limited, a UK-based trade repository, €238,500 ($280,000) for eight breaches of the European Market Infrastructure Regulation (EMIR).  The EMIR includes rules regulating the conduct of trade repositories, and in conjunction with its role as the supervisor of trade repositories under EMIR, ESMA is empowered to file enforcement actions in response to infringements of EMIR by trade repositories.

Continue Reading European Securities Watchdog Fine Highlights Importance of Data Integrity and Regulatory Access

The FTC recently settled with a surveillance app operator over allegations that the company facilitated the secret harvesting of personal information. According to the FTC, the main users of Support King, LLC’s “SpyFone” app were bad actors who used the tool to remotely monitor users’ physical and digital activities. The FTC dismissed the company’s argument that the users were employers and parents as a “pretext.” It felt neither group would want to use the product, which to install required minimizing the device’s security settings and potentially voiding the device warranty.

Continue Reading FTC Surveillance App Settlement Signals Concern Over Deceptive Tracking

The New York Department of Financial Service recently clarified security incident notification requirements and the use of multi-factor authentication. On its FAQ page, the NYDFS added two new questions and answers for financial services companies subject to 23 NYCRR Part 500.

Continue Reading NYDFS FAQ Provides Clarity on Breach Notification and Security Requirements

The California AG recently reminded companies in the healthcare industry of potential data breach notification obligations beyond HIPAA. As ransomware attacks continue to rise, particularly in healthcare, companies should keep in mind the patchwork of state and federal health data privacy laws that may apply.

Continue Reading Breach of PHI? California AG Reminds Companies of Potential State Notification Obligations

The SEC recently announced a settlement with Pearson plc where the company has agreed to pay $1 million to settle charges that it misled investors about a 2018 cyber incident. According to the order, Pearson made misleading statements and omissions about a 2018 data breach involving the theft of student data and administrator credentials in its July 2019 semi-annual report.

Continue Reading SEC Fine Highlights Importance of Cybersecurity Disclosures

In addition to recently passing a cybersecurity safe harbor law, Connecticut also updated its data breach notification law. Connecticut joins Texas in passing changes to breach notification requirements this year. There are three key changes included in this amendment.

Continue Reading Connecticut Expands Data Breach Notification Law, Changes Effective October 1, 2021

Connecticut recently enacted cybersecurity legislation that provides a safe harbor for businesses that implement a written cybersecurity program. Under the legislation, set to go in effect on October 1, 2021, punitive damages will not be assessed on a business that has suffered a data breach, in the event that there are causes of action alleging a failure to implement reasonable cybersecurity controls, which failure resulted in the breach.

Continue Reading Connecticut Enacts New Cybersecurity Safe Harbor

The Georgia Supreme Court recently concluded that Georgia’s equivalent of the CFAA should be viewed narrowly, similar to the US Supreme Court’s recent, similar decision in Van Buren. In Kinslow v. State, the Georgia Supreme Court held that even if there is unauthorized use of a computer or computer network, there must be enough evidence to prove that the defendant used the computer network knowingly without authority and with the intention of obstructing or interfering with the use of data.

Continue Reading New Decision Narrows Scope of Georgia Computer Trespass Statute

MoviePass, a movie subscription service, has agreed to a proposed settlement with the FTC over alleged deception and lack of security allegations. The now-defunct company not only allegedly marketed its service as a “one movie per day” service – yet took steps to actively deny subscribers such access – it also failed, according to the FTC, to secure subscriber’s personal data. The company also was alleged to have violated the Restore Online Shoppers’ Confident Act, which impacts the offering of “negative option” (subscription) services.
Continue Reading FTC Settles Security Claims With Both MoviePass and Its Owners

Starting this fall, companies transferring personal data from the European Economic Area (EEA) will likely begin to see a flurry of contract renegotiations. On June 4, 2021, the European Commission adopted long awaited new Standard Contractual Clauses (SCCs) for transfers out of the EEA. SCCs have been one of the more popular ways for Companies to transfer personal data from the EEA to third countries whose privacy laws have not been deemed “adequate” (like the US). The prior SCCs pre-date GDPR (see our discussion here), and have been updated to (1) more directly address GDPR and (2) because of comments in Schrems II last July, which called into question their use (the court noted that even under SCCs, certain “supplementary measures” might be needed for cross-border transfers).
Continue Reading Understanding When to Use Two New Sets of Standard Contractual Clauses Issued by the EU